The above services are currently provided by 3 AXA Health companies – AXA ICAS Limited, AXA ICAS Occupational Health Services Limited and AXA Health Services Limited. Over the coming months AXA Health Services Limited will become the Data Controller of information which was previously the responsibility of AXA ICAS Limited and AXA ICAS Occupational Health Services Limited. This is why you'll see some overlap in the services below.
When we collect and use your personal information, we ensure we look after it properly and use it in accordance with our privacy principles set out below, keep it safe and will never sell it.
Whilst there are a number of ways we collect your personal information, the two main ways are from information you tell us, and from information gathered from third parties. This may include information you share with us during conversations we have on the phone or face to face. We might also collect information about you from other people and organisations, such as your employer, other AXA Health companies, medical professionals (for example your GP), a treating specialist or physiotherapist in the form of a medical report. Our telephone system records your telephone number when you call us if you haven't withheld it.
We may collect personal information, such as your contact details and medical information. Please note, in certain circumstances we may need to process a large volume of medical information in order to provide the service to you or a third party, for example your employer. The information may be sensitive and confidential in nature.
We use your personal information in accordance with data protection regulations, (including the UK GDPR and the Data Protection Act 2018) and clinical requirements. Below, you will find more about the purposes for which we process your personal information, and the data protection legal grounds we have to do so.
We will process your personal information to provide psychological and musculoskeletal services. If you use these services under your Private Medical Insurance plan or your employer's group scheme, you may see them referred to as 'Stronger Minds' and 'Working Body'. The main legal ground is that the processing is necessary for the performance of a contract with you or to which you are a party. For health and other special categories of information that we obtain we need to meet an additional condition for processing, which is the processing is necessary for the purpose of medical diagnosis, and the provision of healthcare or treatment.
Note: as with all provision of health-related services, there may be circumstances when we process your personal data under other legal grounds, for example:
Your employer may instruct us to carry out services* on health and safety grounds. Our legal grounds for doing this are that the processing is in the legitimate interest of your employer and in some cases, depending on your occupation, your work colleagues and members of the public. The additional condition for processing health information is that the processing is necessary for the purposes of preventative or occupational medicine or the assessment of your working capacity. As the legal grounds for processing your personal data is based on other parties' 'legitimate interests,' you have the right to object to the processing and you can ask us to restrict our processing while we consider your objection. Please see sections 6 and 7 for more information about your data protection rights and how to exercise them.
(*) Occupational health management referrals, new starter health assessments, night worker health assessment, ergonomics, health surveillance assessments, fitness for work assessments, pilot medicals, cabin crew assessments, workplace adjustment assessments, workplace assessments, Air Traffic Controller Officer medicals, pregnancy – new and expectant mums, pensions.
We analyse anonymous information to gain insights about how we can improve our products and services and the health and wellbeing of the people who use them. Further, it allows us to show clients how their workforces interact with different AXA Health services and provide them with workforce heath trends – to do this we may bring together information from your use of various AXA Health services such as your employer's healthcare scheme, and analyse it without using information from which you can be identified. If you'd prefer that we don't use your anonymised information for these purposes, please let us know.
The way that we anonymise personal information is in line with regulatory guidance and is achieved using different techniques, for example removing identifying data or overwriting it with randomised non-identifiable data. In line with regulatory guidance our use of your personal information to create anonymised data relies on the same legal grounds and conditions that were relied on when we obtained your data: the processing is in the legitimate interests of your employer/colleagues/members of the public, and is necessary for the purposes of preventative occupational medicine.
Note: as with all provision of health-related services, there may be circumstances when we process your personal information under other legal grounds, for example:
In respect of these services, we also have to satisfy clinical confidentiality rules. This is in addition to meeting the 'legal grounds' and conditions for processing under Data Protection law. We do this by asking you for a clinical consent to process your clinical information, undertake health-related assessments and to share information from clinical records with third parties, for example your employer for occupational health purposes, or a healthcare professional involved in your care for our other services. Our clinical consent processes are based on the General Medical Council (GMC) Confidentiality Guidance and the Faculty of Occupational Medicine's Ethical Guidance, as well as laws such as the Access to Medical Reports Act 1988 (where applicable). Clinical consent is not the same as consent to process personal information under data protection law; we do not generally use consent as our legal ground or condition for processing personal information under data protection law. If we ever need your consent under data protection law to process your personal data, we'll make that clear to you at the time.
We may process your information to provide you with gym membership or to offer and supply you with the products that you purchase or products that your employer makes available to you through ActivePlus. The legal ground for processing is that the processing is necessary for performance of a contract.
ActivePlus also asks for your marketing preferences so that AXA ICAS Ltd and other companies within the AXA UK group can send you marketing material. You can change your preferences at any time. Separate to that, we may use your personal information for other marketing purposes, even if we do not actually send marketing material to you. The legal ground for doing this is that it is in these companies' legitimate interests. You have the right not to have your personal information used for marketing purposes.
We use your personal information to help us understand our business and monitor our performance.
We may provide reports to your employer, or a parent company, for example about service utilisation and workforce health trends. These are based on aggregated data to a level which means you cannot be identified.
We may use your personal information collected from customer satisfaction surveys and where possible, we will anonymise such information. However, sometimes we may need to use your personal information. Where necessary, we will obtain your consent as our legal ground to process your personal information under data protection rules.
We may share information with other AXA companies, for example with the medical insurance company to help you obtain medical treatment covered by your healthcare policy or scheme. Where you have expressed marketing preferences this information will also be shared. Your personal information may also be transferred to other companies when we make changes to our Group company structure.
Disclosure of your personal information to a third party outside the AXA Group will only be made when the third party has agreed to keep your information strictly confidential and to use it only for the specific purpose for which we provide it to them.
Some recipients (within the AXA Group or external to it) may be in countries outside the UK and the EEA notably in Switzerland, where AXA has a Data Centre. Recipients may also include countries where data protection standards are not as strong as they are in the UK and EEA for example in India, where some administration or computer maintenance activities may be undertaken. Where we make a transfer of your personal information outside the UK and the EEA we will take steps to ensure that it is protected. Such steps will include placing the party we are transferring personal information to under contractual obligations to protect it to adequate standards.
In most cases, we keep your information for between three and six years after our last interaction with you, but this varies depending on what data we hold, why we hold it and what we're obliged to do by the regulator or the law. It can be up to seven years, unless there is a legal or medical regulatory requirement to retain it for a longer period.
You can ask us to do various things with your personal information. For example, at any time you can ask us for a copy of your personal information, ask us to correct mistakes, change the way we use your information, or even delete it. We'll either do what you've asked or explain why we can't - usually this will be for a legal or regulatory reason.
You can make any of the requests set out below by using the contact details you have been provided with for our services or alternatively as set out in section 7.
You are entitled to a copy of the personal information we hold about you and certain details of how we use it. There will not usually be a charge for dealing with these requests. Where you have made the request by electronic means the information will be provided to you by electronic means where possible.
We take steps to ensure that the personal information we hold about you is accurate and complete. However, if you believe information about you is incomplete or inaccurate, please contact us and you can ask us to update or amend it. Please note that this does not give you a right to require that a clinician change their professional opinion should you disagree with it.
In certain circumstances, you have the right to ask us to erase your personal information, for example where the personal information we collected is no longer necessary for the original purpose or if we rely on your consent as the legal grounds to process it under data protection law and you withdraw that consent. However, please note that there may be legal and regulatory obligations which mean that we cannot comply with all erasure requests.
In certain circumstances, you are entitled to ask us to temporarily restrict our use of your personal information, for example where you think that the personal information we hold about you may be inaccurate, or where you have objected to our use of your information, and we are considering how to respond. You may also ask us to keep information on a restricted basis where we would otherwise delete it.
In certain circumstances, you have the right to ask that we provide you in machine readable format, or where feasible transfer to a third party, personal information that you have provided to us yourself. Once transferred, the other party will be responsible for looking after your personal information.
In certain circumstances, you have the right to object to processing of your personal information. You have an absolute right to object to use of your personal information for marketing purposes.
When we have relied on your consent as the legal basis and condition to process your information under data protection law you have the right to withdraw that consent.
As stated in the earlier section “Clinical consent processes for psychological, musculoskeletal and occupational health services,” clinical consent is not the same as consent under Data Protection law. Where we obtain a clinical consent this may be subject to different rules, for example those set out by the General Medical Council, and this right may not apply.
You have a right to complain to the data protection regulators at any time about the way we use your personal information, but before you do they will expect you to have raised your complaint with us first and for us to try to resolve it with you. You can find more information at the following;
UK Information Commissioner's Office website: https://ico.org.uk/
Jersey Office of the Information Commissioner website: https://oicjersey.org/
If you wish to contact the Data Protection Officer, the details are:
The Data Protection Officer
23 St Leonards Road
email address: firstname.lastname@example.org
AXA ICAS Limited trading as AXA Health, is a private limited company incorporated in England and Wales with company number 02548573 and whose registered office is at 20 Gracechurch Street, London EC3V 0BG.
AXA ICAS Occupational Health Services Limited trading as AXA Health, is a private limited company incorporated in England and Wales with company number 01336017 and whose registered office is at 20 Gracechurch Street, London EC3V 0BG
AXA Health Services Limited trading as AXA Health, is a private limited company incorporated in England and Wales with company number 05961472 and whose registered office is at 20 Gracechurch Street, London EC3V 0BG.
Information about some of the other companies in the wider AXA UK Group is available here.
Your personal information can help us give you a better, more personalised service. But looking after that data is a big responsibility. We take our responsibilities seriously, so we've introduced internationally recognised data privacy rules to protect you. We keep your data safe, confidential and will never sell it. And, if you ask us to, we'll tell you exactly what information we have so you can be sure it's up-to-date and accurate.
We know that respecting the confidentiality of personal information is critical to preserving your trust and therefore have developed security procedures and we use a range of organisational and technical security measures designed to protect your personal information from unauthorised use or disclosure.
We process your personal information in accordance with all applicable laws. This includes always having legal grounds under Data Protection law to process your personal information. Additionally, we collect your clinical consent to process your clinical information, to undertake health-related assessments and to share that clinical information with third parties, for example your employer for occupational health purposes or a healthcare professional involved in your care for our other services. Please be aware that clinical consent is not the same as consent under data protection law, so where we obtain a clinical consent this is subject to different rules, for example those set out by the General Medical Council.